DKIM, SPF, DMARC, dkim spf dmarc

What are DMARC, SPF, and DKIM?

You probably haven’t left any stone unturned to ensure the better deliverability of your emails, but have you succeeded? Or what if you’ve left a few stones unturned?

The incorrect configurations of DMARC, SPF, or DKIM might be why you are facing email deliverability issues. With Google and Yahoo setting new email deliverability rules for bulk emailing, DMARC, SPF, and DKIM are more important than ever!

And it’s completely fine if you are unfamiliar with these terms or don’t even know what they stand for.

Internet service providers (ISPs) you use need to authenticate whether you are the person or business you claim to be. If you don’t set up the DMARC, SPF, and DKIM settings accordingly, your ISP won’t be able to authenticate your identity.

However, how do you do that, and what are the other advantages of these settings? 

Keep reading to find out!

What is SPF?

Email spoofing is a huge issue people face in their online lives, but they can’t do much about it. It happens when someone sends an email falsely claiming to be someone else. And most email clients have taken strict measures to prevent this.

Now, you’re not the only one in the queue who wants a solution to the email spoofing problem. That’s where SPF comes in!

SPF stands for Sender Policy Framework. The SPF works as an email validation protocol and helps not only detect but also block email spoofing. The framework verifies whether or not the domain’s administrators have verified the IP address where the mail is coming from.

All the Domain Name Systems (DNS) have an SPF record that allows only a few specific IP addresses to send emails from a certain domain. It can be compared to the return address we see on a postcard.

Don’t you find postcards with return addresses more credible and recognizable? It’s the same for emails because when an email is delivered, its return path domain is checked by the ISPs. And SPF record works as that path.

Internet service providers check whether the IP address an email is coming from aligns with the IP address mentioned in the SPF record of the domain from where the email is sent. If the verification is successful, ISPs deliver the email and block it otherwise. 

The importance of SPF

Email spamming and phishing is a common problem that most people struggle with. Especially those with great sending reputations are targeted the most by the spammers. That’s why, setting up SPF records is the best solution.

SPF is a practice standard that’s proposed to protect against phishing issues. The main tactic of email spammers and fishers is to claim a false identity. That’s why SPF is important because it contains a list of the domain addresses and makes it easy to verify whether the email is spam.

Whenever someone tries to send an email pretending to be you, ISPs will block it by checking the domain addresses listed in the SPF record.

How to set up an SPF Record?

As technical as the term may sound, setting up an SPF record isn’t that hard. All you have to do is simply follow a few steps and have your SPF records ready.

Let’s explain the steps to you as briefly as possible. 

1. Gather the IP addresses

You probably use the email from your home, office, or workplace. IP addresses are different in each place. So, as your first step, gather your frequently used IP addresses for sending emails, and don’t forget to consider which email servers you usually use for sending emails.

2. Make a sending domain list

Your company probably has a few domains; not all are used for email sending. So pick the ones you use for sending emails. Unless you do this, the spammers will target to spoof through your subdomains which people often forget to add to the SPF record. 

3. Create the SPF record

Now that you have made a list of the IP addresses you want to include. It’s time to create the SPF record. Here’s what you need to do. 

  • Use the v=spf1 (version 1) tag to get started. Keep putting the IP addresses you want to authorize after the tag. For instance, v=spf1 ip2.3.6.7 ip4.3.5.4
  • What if you are using a third-party email service provider to send emails on your behalf? You can simply use the “include” statement and add this to your record. For example, (
  • Once you add the tags, finish the record with either the -all or ~all tag. An ~all indicates a soft SPF fail, while an -all indicates a hard SPF fail
  • Make sure your SPF records are under 255 characters and do not include more than 10 include statements.  
  • The domains that you are not going to send emails from should exclude modifiers except -all. For example, v=spf1 -all 

4. Publish SPF to DNS 

The first approach to publish the SPF record should be contacting the DNS server administrator. It will help the mailbox providers with referencing your SPF record. The procedure of publishing SPF to DNS varies depending on the hosting providers. If you use servers like Godaddy, it is comparatively easier for you as they have simpler procedures.

If you are not sure about your DNS records or if your ISP administers them, you should consult the IT department to get the necessary support. Sometimes, if you are lucky enough, the email service providers publish SPFs on your behalf. 

5. Test 

Now that the SPF records are ready and published to DNS, it’s time to check whether it’s enough to prevent spammers from stealing your identity. Before you start worrying about the complexity of performing a test, you can use an SPF-checking tool to test your SPF record.

The tool will show you what the recipients see and the servers given the authorization to send emails from your domain. If you see that any IP address you are supposed to add is not in the list, you can also update it from the tool.

What is DKIM?

DKIM stands for Domain Keys Identified Mail. It helps companies to handle messages that are in transit. DKIM employs cryptography to verify the validity of a new domain name identifier appended to a message.

DKIM, a TXT record signature, aids in establishing credibility between sender and recipient. DKIM lets you verify the authenticity of each email you send by verifying its digital signature. 

However, how does DKIM work? 

DKIM generates a public key and a private key digitally through an encryption technique. These Keys are usually generated by your ESP automatically. The private key remains on the device that created the email. 

The second key can only crack the first key’s encryption. With the “d=” domain and “s=” selection in the DKIM signature, a sender announces the DNS record containing the “public” key and the location of the key.

The DNS owner protects the privacy of the private key, which is stored on the sending email server. If the data in the decrypted signature is consistent with the data it received in the unencrypted header, then it is assumed that the header wasn’t tampered with in transit.

The importance of DKIM

DKIM doesn’t provide just a layer of security. Rather, it brings three to the table, ensuring—

  • The email content has not been modified or tampered with
  • The headers of an email are not changed from the original, and a new “from” domain is not added 
  • The email sender owns the DKIM domain as well or at least has authorization from the domain owner 

Considering the factors DKIM covers for a company, it’s safe to say that if someone has DKIM enabled, they will not have anything to worry about identity theft. 

How to set up DKIM?

Setting up DKIM is way easier than it sounds! Just follow the below steps to set up DKIM for you:

1. Configuration of DKIM 

As the first step, you’ll need to configure DKIM. This isn’t something that you’ve to do manually. There are tools available for configuring DKIM regardless of your device.

If you’re using a Windows device, PUTTYGen is the device you’ll need to use. Necessary information is available in this tutorial. Linux and Mac users can utilize ssh-keygen for configuring DKIM. You can also follow this GitHub tutorial for the configuration process.

3. Placing the public key as a TXT record

As the second step of setting up DKIM, you’ll need to place the public key as a TXT record in your desired DNS settings. The procedure of doing this varies depending on DNS providers, so we did the hard work and made you a documentation list of the most popular DNS providers.

If you still struggle to set up your DKIM after reading DNS documentation, online agencies can help you with this.

4. Signature generation and saving

As the last step, you’ll need to generate signatures and save those. Most popular SMTP servers that support milter let you do this very easily. Simply use the(=email filter) filter to do your job. 

What is DMARC?

In addition to Sender Policy Framework(SPF) and DomainKeys Identified Mail(DKIM), DMARC(Domain-Based Message Authentication, Reporting, and Conformance) is used to ensure the authenticity of where an email is coming from.

In this method, SPF and DKIM are used, and they’ve to be successful and synchronized for DMARC to pass. Simply put, DMARC can’t function without either DKIM or SPF.

DMARC requires a DKIM and SPF pass before approving any email. As a result, it doubles your email server’s protection.

If an email satisfies both authentications, it means that it is sent from an authorized server, and the header or information hasn’t been changed either. If the email satisfies at least one authentication, it indicates that the sender is who they say they are. 

There must be coherence between the message’s From-domain and its Return-Path-domain for SPF to function properly. When it comes to DKIM authentication, the From domain and the DKIM d= domain of the message must be similar. 

Importance of DMARC

The importance of DMARC is, needless to say, that it uses two of the most advanced technologies to verify an email’s authenticity. It helps reduce the chances of phishing and provides detailed reporting on authentication. It also helps to 

  • Increase the email delivery rate from your domain while decreasing the bounce rate 
  • It brings the spamming issues down to almost zero with many layers of protections
  • People are less likely to steal your identity 
  • You get extensive control over what domains and ISPs you allow to send emails from 

How to set up DMARC?

The setup procedure of DMARC mostly depends on which host you use. But editing or adding a TXT entry is easy if you know the right ways. We will tell you the easiest way of doing that:

1. Create a record 

As the first step, you’ll need to contact the DNS hosting provider you use. Once you log in, create a TXT record. To do that, you’ll mostly need to fill out three fields. The names of these fields may vary depending on the DNS provider. The names are:

  • Host/Name
  • Record Type
  • Value

2. Select record type

Once you have created the record, the system will ask you to select a type. In the drop-down menu, you’ll see quite a few options; choose the TXT format. You can read this article to find out more about setting up a DMARC record.

2. Add host value

For this step, you have to provide input value for the DMARC, also known as the host value. The system adds your domain or subdomain to the value you provide. If you set up DMARC for any subdomain, the value should be _dmarc.subdomain. Then the DNS provider will do its job and look something like this:

HOST/NAME: _dmarc.example

2. Add “Value” information

All DMARC records must have two tag-value pairs. They are represented as ‘V’ and ‘P’. While the V tav value pair is equal to only DMARC1, and the P tag value can be paired with three. They are None, Quarantine, and Reject. So it may look like:

p=none, p=quarantine and lastly, p=reject

It’s better to start the DMARC record with p=none. To answer why, the chances of accidentally quarantining or rejecting an email are very small at this valuation. And you should never forget to take advantage of the “rua” tag. It provides detailed results on how your emails are performing.    

3. Save the record 

Once you add the value information, it’s time to hit the save button. The record will be generated, and you can run a DMARC record check to see whether your added values are working properly.

The difference between DMARC, SPF, and DKIM

If you have been introduced to email authentication terms for the first time through this article, we understand the confusing state you are in right now.

That’s why we’ll enlighten you about the differences between SPF, DKIM, and DMARC. So, before you go, you have a better understanding of what to use and when.


  • There is no need for DMARC while using SPF. However, you can’t solely rely on SPF because it might have problems in other areas.
  • DMARC ensures that emails are coming from a trusted source by utilizing both the SPF and DKIM methods
  • As of now, there is no way for domain owners to get notifications about delivery failures using SPF.
  • DMARC can send out specific reports if an email has failed to be delivered 


  • SPF decides on which IP addresses someone can set for sending emails where DKIM authenticates an email using encryption keys as well as digital signatures
  • While DKIM utilizes an encryption mechanism to generate a pair of electronic keys, SPF does not
  • With SPF, the message envelope may be customized with additional data. But it is not possible with DKIM as a digital signature is retained as part of the email header


  • Establishing SPF and DKIM records is necessary for publishing a DMARC record
  • DKIM is not actually dependent on any other authentication system to operate. But pairing it with DMARC helps to store false negatives
  • While DKIM helps with only confirming whether an email is legit, DMARC provides guidance on what to do with suspicious messages.

Wrapping up

Low email deliverability rates and emails ending up in spam are two worst nightmares for any email marketer. Hopefully, this article helped you understand everything about the most popular email authentication methods. 

By utilizing the newfound knowledge, you’ll increase your company’s email deliverability rate and secure your domains from spammers always looking to steal identities.

Have a wonderful day!

Similar Posts

Add your first comment to this post